|
We've been using the old Sun Directory Server (DSEE7) for a long time and have had things working in such a way that when a user on linux or windows locks the account after so many failures, neither windows nor linux will allow them to log in.
The way that was done was to modify the samba source code (in lib/smbldap.c) to point the SambaKickoffTime variable to pwdaccountlockedtime from the LDAP server. This worked. We want to move to the 389 directory server and perform the same function, but I'm having some issues. The pwdaccountlockedtime isn't there anymore. When the account locks, I see that we have the accountunlocktime attribute being set. Unfortunately, I can't use that field for samba since it's looking for unix time in seconds. The default value of accountunlocktime is Jan 1 1970, so samba thinks that this is some date in the year 600,000+. So, are any of the following things possible? If so, how can I do it? 1) When an account locks out on the DS, automatically set the SambaKickoffTime attribute in DS to the current time in seconds 2) Change the default value of accountunlocktime to 00000000000000Z instead of 1970.... 3) Change the format of the sambakickofftime inside of samba so that it will acknowledge what the DS offers it. 4) Some other way to get samba to acknowledge that account cannot login automatically upon lockout from DS. Thanks for your help. |
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
